### Description
Captured sip on a server using Captagent, when using UDP the destination_ip is parsed from the message itself when using TCP the destination_ip and destination_port is of the server running Kamailio.
### Troubleshooting
#### Reproduction
Sipcapture using Kamailio on TCP
#### SIP Traffic
<!-- If the issue is exposed by processing specific SIP messages, grab them with ngrep or save in a pcap file, then add them next, or attach to issue, or provide a link to download them (e.g., to a pastebin site). -->
``` T 10.203.134.187:10398 -> 10.203.134.194:9060 [AP] HEP3.@................................... Z&..... . ................ .........
........
.........myhep......SIP/2.0 487 Request cancelled. Via: SIP/2.0/UDP 10.203.134.187;received=10.203.134.187;rport=5060;branch=z9hG4bKUgUv1StZ9HmgF. From: "bal bal" sip:17325559837@10.203.134.187;tag=ZSNe61tKX2gFp. To: sip:VH111@call.net;tag=eee99bc01afb99338debc1f2a2cfb1a1-c5c8. Call-ID: 3ed76454-5479-1236-b8a0-0688e01b7b70. CSeq: 115908963 INVITE. Server: OpenSIPS (2.2.5 (x86_64/linux)). Content-Length: 0. .
##```
### Possible Solutions
<!-- If you found a solution or workaround for the issue, describe it. Ideally, provide a pull request with a fix. --> ``` Using the parsed header, something like: $var(dstip) = $hep(0x004); ``` ### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` version: kamailio 5.2.0-dev0 (x86_64/linux) ```
* **Operating System**:
<!-- Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...; Kernel details (output of `uname -a`) -->
``` Debian 8.4 ```
BTW, the parsing works just fine for UDP, is it done differently?
Have you set next core parameter?
* https://www.kamailio.org/wiki/cookbooks/devel/core#tcp_accept_hep3
yes
Is the event route used, like in:
* https://github.com/kamailio/kamailio/issues/1294#issuecomment-342075959
Yeah, that is my issue as well
I checked the binary of the received packet, on UDP the data is extracted from the packet itself while on TCP it is taken from the connection info (s.ip, s.port, d.ip, d.port) Maybe with UDP, it uses hep module while with TCP, it uses sipcapture module?
I was misled by the comment that parsing is working for UDP, so I thought is more or less same as the other issue ...
Do you use same config for handling UDP and TCP hep traffic? Can you post it somewhere to see what functions are used and then check the code for them?
I am using the same server, seeing different results for traffic that arrives over UDP compared to TCP.
``` ####### Global Parameters #########
fork=yes children=8 tcp_children=8
/* uncomment the next line to disable TCP (default on) */ # disable_tcp=yes
/* IP and port for HEP capturing) */ listen=tcp:HOMER_LISTEN_IF:HOMER_LISTEN_PORT listen=udp:HOMER_LISTEN_IF:HOMER_LISTEN_PORT
tcp_accept_hep3=1 tcp_accept_no_cl=yes ...
####### Routing Logic ######## modparam("sipcapture", "db_url", "mysql://root:****@*****/****") modparam("sipcapture", "capture_on", 1) modparam("sipcapture", "hep_capture_on", 1) modparam("sipcapture", "insert_retries", 5) modparam("sipcapture", "insert_retry_timeout", 10) #new event sipcapture socket modparam("sipcapture", "nonsip_hook", 1) #modparam("sipcapture", "capture_node", "homer01") ...
route[STORE] {
$var(a) = $var(table) + "_" + $var(utc); sip_capture("$var(a)"); } ...
event_route[sipcapture:request] {
#Is it SIP ? if($hep(0x00b) == 1) { #Do parsing internal return 1; } else { #If report lets proceed here with payload xlog("HEP CHUNK PAYLOAD $hep(0x00f) request from $si:$sp\n"); return 0; } } ```
Anything odd here? Should I look somewhere else?
The code of the module needs to be analyzed for this case. Maybe @adubovikov or @giavac can provide a quick hint/fix of what is going wrong there.
Hi @azigelman - just to double check, would you please share the binary of one of the HEP3 messages received over TCP? A pcap with a single frame would do. Thanks.
Sure: 48 45 50 33 01 cf 00 00 00 01 00 07 02 00 00 00 02 00 07 11 00 00 00 07 00 08 13 c4 00 00 00 08 00 08 13 c6 00 00 00 09 00 0a 5a 27 fd 7d 00 00 00 0a 00 0a 00 0f 22 81 00 00 00 0b 00 07 01 00 00 00 0c 00 0a 00 00 07 d0 00 00 00 03 00 0a 0a cb 86 80 00 00 00 04 00 0a 0a cb 86 bb 00 00 00 0e 00 0b 6d 79 68 65 70 00 00 00 0f 01 67 4f 50 54 49 4f 4e 53 20 73 69 70 3a 31 30 2e 32 30 33 2e 31 33 34 2e 31 38 37 3a 35 30 36 32 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 55 44 50 20 31 30 2e 32 30 33 2e 31 33 34 2e 31 32 38 3a 35 30 36 30 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 33 33 35 39 2e 38 35 64 63 31 38 63 31 2e 30 0d 0a 54 6f 3a 20 73 69 70 3a 31 30 2e 32 30 33 2e 31 33 34 2e 31 38 37 3a 35 30 36 32 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 70 72 6f 62 65 72 40 6c 6f 63 61 6c 68 6f 73 74 3e 3b 74 61 67 3d 33 66 62 32 65 66 31 62 32 38 35 32 65 64 65 32 33 61 38 35 36 33 35 65 62 36 30 64 33 61 66 35 2d 62 33 38 30 0d 0a 43 53 65 71 3a 20 31 30 20 4f 50 54 49 4f 4e 53 0d 0a 43 61 6c 6c 2d 49 44 3a 20 32 33 66 61 64 62 61 65 33 38 66 32 32 35 39 30 2d 32 38 32 36 30 40 30 2e 30 2e 30 2e 30 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4f 70 65 6e 53 49 50 53 20 28 32 2e 32 2e 35 20 28 78 38 36 5f 36 34 2f 6c 69 6e 75 78 29 29 0d 0a 0d 0a
I already analyzed it and made sure that the data here is correct
Have you found anything? Should I try to patch it as well?
At the moment I've only been able to reproduce the issue, but I have no solution yet. If you spot the issue or find a patch feel free to say and I'll test/review. Thanks.
Closing, see PR #1379.
Closed #1353.
-
Amit Zigelman -
Daniel-Constantin Mierla
-
Giacomo Vacca